A use‑after‑free flaw exists in the core of Google Chrome on Windows, allowing a remote attacker who has already compromised the renderer to execute arbitrary code by loading a specially crafted HTML page. The weakness is classified as CWE‑416, which describes memory safety failure due to accessing freed memory, and CWE‑825, which relates to uninitialized memory or data read. The primary impact of this vulnerability is the potential for a sandbox escape that can lead to full system compromise if the attacker can gain sufficient privileges.

Google Chrome for Windows versions prior to 148.0.7778.168 are affected. Users running older builds of Chrome on Windows may be vulnerable until they upgrade to the patched release. No other operating systems or platforms are listed as affected in the current advisory.

The vulnerability has a CVSS score of 8.3, indicating high severity, and is not listed in the CISA KEV catalog. The Chromium risk assessment rates it as medium severity. The likely attack vector involves a remote attacker who already bypassed the initial rendering sandbox; this requires the attacker to have access to the renderer process, possibly through social engineering or cross‑site scripting. Because the vulnerability is a use‑after‑free, exploitation demands precise timing and memory layout, which raises the technical barrier. Nonetheless, once a renderer process is compromised, the attack path to full code execution becomes available and can affect the confidentiality, integrity, and availability of the compromised system.